npm-install-security-check
Advanced tools
Comparing version 1.0.3 to 1.0.4
37
index.js
#! /usr/bin/env node | ||
var configContents | ||
var currentDir = process.cwd() | ||
var fs = require('fs') | ||
var path = require('path') | ||
// Check for a config file in parent directories until we find one | ||
while (currentDir.length !== 0) { | ||
var configPath = path.join(currentDir, 'npm-install-security-check.json') | ||
try { | ||
configContents = fs.readFileSync(configPath) | ||
break // since we found a config file we can stop looking | ||
} catch (err) { | ||
// do nothing | ||
} | ||
var segments = currentDir.split(path.sep) | ||
if (segments.length === 1) { | ||
currentDir = '' | ||
} else { | ||
segments.pop() | ||
currentDir = segments.join(path.sep) | ||
} | ||
} | ||
if (configContents) { | ||
try { | ||
var config = JSON.parse(configContents) | ||
if (config.silent) { | ||
process.exit(0) | ||
} | ||
} catch (err) { | ||
console.error(err) | ||
} | ||
} | ||
var msg = 'Warning: You are running "npm install" with scripts enabled which is a potential security risk.\n' + | ||
@@ -4,0 +41,0 @@ 'You should run npm install with the --ignore-scripts flag or update your npm config via:\n\n' + |
{ | ||
"name": "npm-install-security-check", | ||
"version": "1.0.3", | ||
"version": "1.0.4", | ||
"description": "Warn users when they are running npm install with scripts enabled", | ||
@@ -5,0 +5,0 @@ "scripts": { |
@@ -21,1 +21,15 @@ # npm-install-security-check | ||
[npm-url]: https://www.npmjs.com/package/npm-install-security-check | ||
## Silence warning | ||
If you want to silence the warning that this package prints to the console | ||
simply add the following file to the directory in which you run `npm install` | ||
from or any of it's parent directories. | ||
*npm-install-security-check.json * | ||
```json | ||
{ | ||
"silent": true | ||
} | ||
``` |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Trivial Package
Supply chain riskPackages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.
Found 1 instance in 1 package
2391
37
35
0
2